- Newest
- Most votes
- Most comments
Ultimately, at some point, you'll have a bucket that does not have access logging enabled because you'll always have a circular reference and then a runaway increase in logging.
Best practice is to lock down the bucket to which those access logs are being written by using version history, MFA on Delete, restricting access to service roles (which does not include delete actions) from systems where the logs can be accessed (e.g. SIEM, Amazon Redshift, Amazon OpenSearch, or other data warehouse/visualization solution).
You will still have AWS Cloudtrail logs which can also help identify access requests to the bucket to provide some level of access monitoring. Finally, the AWS Documentation on [S3.9] S3 bucket server access logging should be enabled explicitly states:
"The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket."
Did you check this documentation
thank you for your answer. I checked the documentation but didn't find the answer I expected.
Check this blog and also make sure that the permissions through bucket policies and/or ACL is not blocking.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/
Sorry I didn't ask the question well. I am not having trouble with how to output the access log, but rather where to output the access log for the bucket that collects the access log.
source bucket target bucket for access log Bucket-A Log-Bucket Bucket-B Log-Bucket Log-Bucket ?????
You could set it up to any bucket of your choice, is there any trouble with that?
I am concerned about the following cases.
- Access Bucket-A (access to Bucket-A occurs)
- Access log to Bucket-A is output to Log-Bucket (access to Log-Bucket occurs)
- Access log to Log-Bucket is output to Log-Bucket2 (access to Log-Bucket2 occurs)
- Access log to Log-Bucket2 is output to Log-Bucket3 (access to Log-Bucket3 occurs)
Wouldn't it be an infinite loop like this?
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
Thank you for your answer. I see that I can suppress the log bucket. (Select the bucket and click on the Workflow status button, then Suppressed)